Saturday, May 29, 2010

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

Blog Has Moved

Link to the same post in the new blog: Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd lighttpd
useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Lighttpd environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-49.x86_64.rpm
rpm -ivh glibc-devel-2.5-49.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
5. Download Lighttpd 1.4.26 from:
http://www.lighttpd.net/download/
6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Extract the lighttpd-1.4.26.tar.gz file:
tar -zxvf lighttpd-1.4.26.tar.gz
9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
10. Move to the Lighttpd source folder:
cd /tmp/lighttpd-1.4.26
11. Run the commands bellow to compile the Lighttpd environment:
./configure --with-openssl --without-bzip2
make
make install
12. Create the following folders:
mkdir -p /etc/lighttpd
mkdir -p /var/log/lighttpd
mkdir -p /var/cache/lighttpd/compress
13. Copy the lighttpd.conf file:
cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
14. Updating Ownership and Permissions on Lighttpd folders:
chown lighttpd:lighttpd /var/log/lighttpd
chown lighttpd:root /etc/lighttpd/lighttpd.conf
chown lighttpd:lighttpd /var/cache/lighttpd/compress
chmod o-r /etc/lighttpd/lighttpd.conf
chmod -R o-r /var/log/lighttpd
15. Create folder for the web content:
mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
From:
server.document-root = "/srv/www/htdocs/"
To:
server.document-root = "/www"

From:
#server.bind = "127.0.0.1"
To:
server.bind = "Server_FQDN"

From:
# server.tag = "lighttpd"
To:
server.tag = "Secure Web Server"

From:
#server.username = "wwwrun"
To:
server.username = "lighttpd"

From:
#server.groupname = "wwwrun"
To:
server.groupname = "lighttpd"

From:
#dir-listing.activate = "enable"
To:
dir-listing.activate = "disable"

18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
19. To manually start Lighttpd use the command:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
21. Remove the Lighttpd source files:
rm -rf /tmp/lighttpd-1.4.26
rm -f /tmp/lighttpd-1.4.26.tar.gz
22. Uninstall the following RPM:
rpm -e gcc-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5

Labels: ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home